CVE-2026-31701 (GCVE-0-2026-31701)
Vulnerability from cvelistv5 – Published: 2026-05-01 13:56 – Updated: 2026-05-01 13:56
VLAI?
Title
ALSA: caiaq: take a reference on the USB device in create_card()
Summary
In the Linux kernel, the following vulnerability has been resolved:
ALSA: caiaq: take a reference on the USB device in create_card()
The caiaq driver stores a pointer to the parent USB device in
cdev->chip.dev but never takes a reference on it. The card's
private_free callback, snd_usb_caiaq_card_free(), can run
asynchronously via snd_card_free_when_closed() after the USB
device has already been disconnected and freed, so any access to
cdev->chip.dev in that path dereferences a freed usb_device.
On top of the refcounting issue, the current card_free implementation
calls usb_reset_device(cdev->chip.dev). A reset in a free callback
is inappropriate: the device is going away, the call takes the
device lock in a teardown context, and the reset races with the
disconnect path that the callback is already cleaning up after.
Take a reference on the USB device in create_card() with
usb_get_dev(), drop it with usb_put_dev() in the free callback,
and remove the usb_reset_device() call.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
4507a8b9b30344c5ddd8219945f446d47e966a6d , < f6634af5de728a46792f674a66d7843570cb68f7
(git)
Affected: a3f9314752dbb6f6aa1f0f2b4c58243bda800738 , < 1d9be95aee6c6246a21752e60c9519902649f482 (git) Affected: b04dcbb7f7b1908806b7dc22671cdbe78ff2b82c , < 6473ed16df1fe88051140611b3eb9a49be7f429e (git) Affected: b04dcbb7f7b1908806b7dc22671cdbe78ff2b82c , < 59b622a043cffc58b7638cd85ae6c30a0904f8e6 (git) Affected: b04dcbb7f7b1908806b7dc22671cdbe78ff2b82c , < 80bb50e2d459213cccff3111d5ef98ed4238c0d5 (git) Affected: 3993edf44d3df7b6e8c753eac6ac8783473fcbab (git) Affected: ebad462eec93b0f701dfe4de98990e7355283801 (git) Affected: 4dd821dcbfcecf7af6a08370b0b217cde2818acf (git) Affected: cadf1d8e9ddcd74584ec961aeac14ac549b261d8 (git) Affected: 237f3faf0177bdde728fa3106d730d806436aa4d (git) Affected: dd0de8cb708951cebf727aa045e8242ba651bb52 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"sound/usb/caiaq/device.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "f6634af5de728a46792f674a66d7843570cb68f7",
"status": "affected",
"version": "4507a8b9b30344c5ddd8219945f446d47e966a6d",
"versionType": "git"
},
{
"lessThan": "1d9be95aee6c6246a21752e60c9519902649f482",
"status": "affected",
"version": "a3f9314752dbb6f6aa1f0f2b4c58243bda800738",
"versionType": "git"
},
{
"lessThan": "6473ed16df1fe88051140611b3eb9a49be7f429e",
"status": "affected",
"version": "b04dcbb7f7b1908806b7dc22671cdbe78ff2b82c",
"versionType": "git"
},
{
"lessThan": "59b622a043cffc58b7638cd85ae6c30a0904f8e6",
"status": "affected",
"version": "b04dcbb7f7b1908806b7dc22671cdbe78ff2b82c",
"versionType": "git"
},
{
"lessThan": "80bb50e2d459213cccff3111d5ef98ed4238c0d5",
"status": "affected",
"version": "b04dcbb7f7b1908806b7dc22671cdbe78ff2b82c",
"versionType": "git"
},
{
"status": "affected",
"version": "3993edf44d3df7b6e8c753eac6ac8783473fcbab",
"versionType": "git"
},
{
"status": "affected",
"version": "ebad462eec93b0f701dfe4de98990e7355283801",
"versionType": "git"
},
{
"status": "affected",
"version": "4dd821dcbfcecf7af6a08370b0b217cde2818acf",
"versionType": "git"
},
{
"status": "affected",
"version": "cadf1d8e9ddcd74584ec961aeac14ac549b261d8",
"versionType": "git"
},
{
"status": "affected",
"version": "237f3faf0177bdde728fa3106d730d806436aa4d",
"versionType": "git"
},
{
"status": "affected",
"version": "dd0de8cb708951cebf727aa045e8242ba651bb52",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"sound/usb/caiaq/device.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.13"
},
{
"lessThan": "6.13",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.136",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.84",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.25",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1-rc1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.136",
"versionStartIncluding": "6.6.64",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.84",
"versionStartIncluding": "6.12.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.25",
"versionStartIncluding": "6.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.2",
"versionStartIncluding": "6.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1-rc1",
"versionStartIncluding": "6.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.19.325",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.4.287",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.10.231",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.15.174",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.1.120",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.11.11",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: caiaq: take a reference on the USB device in create_card()\n\nThe caiaq driver stores a pointer to the parent USB device in\ncdev-\u003echip.dev but never takes a reference on it. The card\u0027s\nprivate_free callback, snd_usb_caiaq_card_free(), can run\nasynchronously via snd_card_free_when_closed() after the USB\ndevice has already been disconnected and freed, so any access to\ncdev-\u003echip.dev in that path dereferences a freed usb_device.\n\nOn top of the refcounting issue, the current card_free implementation\ncalls usb_reset_device(cdev-\u003echip.dev). A reset in a free callback\nis inappropriate: the device is going away, the call takes the\ndevice lock in a teardown context, and the reset races with the\ndisconnect path that the callback is already cleaning up after.\n\nTake a reference on the USB device in create_card() with\nusb_get_dev(), drop it with usb_put_dev() in the free callback,\nand remove the usb_reset_device() call."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-01T13:56:00.869Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/f6634af5de728a46792f674a66d7843570cb68f7"
},
{
"url": "https://git.kernel.org/stable/c/1d9be95aee6c6246a21752e60c9519902649f482"
},
{
"url": "https://git.kernel.org/stable/c/6473ed16df1fe88051140611b3eb9a49be7f429e"
},
{
"url": "https://git.kernel.org/stable/c/59b622a043cffc58b7638cd85ae6c30a0904f8e6"
},
{
"url": "https://git.kernel.org/stable/c/80bb50e2d459213cccff3111d5ef98ed4238c0d5"
}
],
"title": "ALSA: caiaq: take a reference on the USB device in create_card()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-31701",
"datePublished": "2026-05-01T13:56:00.869Z",
"dateReserved": "2026-03-09T15:48:24.132Z",
"dateUpdated": "2026-05-01T13:56:00.869Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2026-31701",
"date": "2026-05-05",
"epss": "0.00018",
"percentile": "0.04829"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2026-31701\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2026-05-01T14:16:20.020\",\"lastModified\":\"2026-05-01T15:24:14.893\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nALSA: caiaq: take a reference on the USB device in create_card()\\n\\nThe caiaq driver stores a pointer to the parent USB device in\\ncdev-\u003echip.dev but never takes a reference on it. The card\u0027s\\nprivate_free callback, snd_usb_caiaq_card_free(), can run\\nasynchronously via snd_card_free_when_closed() after the USB\\ndevice has already been disconnected and freed, so any access to\\ncdev-\u003echip.dev in that path dereferences a freed usb_device.\\n\\nOn top of the refcounting issue, the current card_free implementation\\ncalls usb_reset_device(cdev-\u003echip.dev). A reset in a free callback\\nis inappropriate: the device is going away, the call takes the\\ndevice lock in a teardown context, and the reset races with the\\ndisconnect path that the callback is already cleaning up after.\\n\\nTake a reference on the USB device in create_card() with\\nusb_get_dev(), drop it with usb_put_dev() in the free callback,\\nand remove the usb_reset_device() call.\"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/1d9be95aee6c6246a21752e60c9519902649f482\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/59b622a043cffc58b7638cd85ae6c30a0904f8e6\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/6473ed16df1fe88051140611b3eb9a49be7f429e\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/80bb50e2d459213cccff3111d5ef98ed4238c0d5\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/f6634af5de728a46792f674a66d7843570cb68f7\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}]}}"
}
}
Loading…
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…